Make sure your software supports OpenID Connect
Several software products already support OpenID Connect out of the box. If your software is amongst these, you can continue to to the next paragraph.
We strongly advise you not to build your own OpenID Connect implementation, but use one of the products already available. The official OpenID website provides a nice overview of certified and uncertified implementations.
Attributes and claims
In SAML, attributes contain information about the authenticated user, such as name, email address or affiliation. OpenID Connect (OIDC) calls these claims. In SURFconext, the user authenticates at his Identity Provider (called OpenID Provider in OIDC) - this all happens using SAML. SURFconext translates the incoming SAML attributes to OIDC claims and provide them at the userinfo endpoint for your Service Provider to consume.
Please note: SURFconext only caches the claims at the userinfo endpoint for a limited amount of time, namely 1 hour (after a successful authentication). If you request claims at the userinfo endpoint after this, the user is required to re-authenticate.
A list of available (SAML) attributes in SURFconext is located here: Attributes in SURFconext. You can use any of those attributes in your service, however you must comply with our data minimisation policy, meaning you are only allowed to receive the bare minimum of attributes strictly needed for you to operate your service.
The following table describes the translation from SAML attributes to OIDC claims:
OIDC claim | Description of SAML attribute |
---|---|
sub | OpenID Subject (not available as SAML attribute) |
given_name | Givenname attribute |
family_name | Surname attribute |
name | Display name attribute |
locale | Preferred language attribute |
email | Email address attribute |
schacHomeOrganization | Organization attribute |
schacHomeOrganizationType | Organization type attribute |
eduPersonAffiliation | Affiliation attribute |
eduPersonEntitlement | Entitlement attribute |
uid | Uid attribute |
schacPersonalUniqueCode | Personal code attribute |